Databricks keeps your personal information for as long as it needs it for business purposes, legal obligations, or to defend against claims, without specifying a fixed retention period for most data categories.
This analysis describes what Databricks's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Open-ended retention language means your data could be kept indefinitely for broad purposes including legal defense, which may conflict with data minimization principles under GDPR and similar frameworks.
Interpretive note: The practical retention period for specific data categories cannot be determined from the notice text alone, and the adequacy of this disclosure under GDPR Article 13 and 14 requires further assessment.
Removed detailed explanation of retention period determination factors and added specific use cases (legal claim defense and fraud prevention) while shortening overall provision.
View full change record →Your personal data may be retained by Databricks for an indefinite period tied to broad business and legal purposes, with no specific maximum retention period stated for most data categories, limiting your ability to predict when data will be deleted.
How other platforms handle this
We retain personal information for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements. The specific retention periods depend on the type of information and the purposes for which it is processed.
We keep information for as long as we need it to provide our products, comply with legal obligations, or for other legitimate purposes, such as to maintain safety, security, and integrity.
After your account is deleted, we keep data about interactions you've had on our service to prevent abuse, ban evaders and others in an effort to protect and ensure the safety and security of our service and our members.
Monitoring
Databricks has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We retain personal information for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements, to establish or defend legal claims, or for fraud prevention purposes.— Excerpt from Databricks's Databricks Privacy Notice
REGULATORY LANDSCAPE: GDPR Article 5(1)(e) requires personal data to be kept in a form that permits identification of data subjects for no longer than necessary for the purposes for which it is processed (storage limitation principle). The open-ended retention language in this provision creates potential tension with this principle, and EU supervisory authorities have taken enforcement action against organizations with excessively broad retention justifications. US state privacy laws generally do not impose explicit retention period requirements but do support deletion rights. GOVERNANCE EXPOSURE: Medium. The absence of specific retention periods for defined data categories is common in public-facing privacy notices but may not satisfy GDPR's requirement for specific retention information in privacy notices under Article 13 and 14. A records retention schedule with category-specific periods should exist internally. JURISDICTION FLAGS: EU/EEA organizations should assess whether Databricks' retention practices satisfy GDPR storage limitation requirements, particularly for personal data processed under legitimate interests. UK users have similar rights under UK GDPR. CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers whose employee or contact data Databricks processes should request information about specific retention periods applicable to their data under the DPA, as the public notice's open-ended language may not provide adequate specificity for GDPR Article 28 compliance. COMPLIANCE CONSIDERATIONS: Legal teams should request Databricks' internal data retention schedule as part of vendor due diligence, and should assess whether the stated legal defense and fraud prevention justifications for extended retention are proportionate to the data categories involved.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Open-ended retention language means your data could be kept indefinitely for broad purposes including legal defense, which may conflict with data minimization principles under GDPR and similar frameworks.
Your personal data may be retained by Databricks for an indefinite period tied to broad business and legal purposes, with no specific maximum retention period stated for most data categories, limiting your ability to predict when data will be deleted.
ConductAtlas has identified this type of provision across 136 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Databricks.